United States: Substance Use Disorder Confidentiality Regulations Modified To Align With HIPAA

Highlights

• The U.S. Department of Health and Human Services' Office for Civil Rights and Substance Abuse and Mental Health Services Administration have finalized rules to better align Confidentiality of Substance Use Disorder (SUD) Patient Records Part 2 Regulations with certain requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.
• A Part 2 program may use and disclose SUD records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment and healthcare operations.
• The final rules make HIPAA and HITECH Act civil and criminal penalties applicable to violations of the Part 2 Regulations and create a safe harbor from civil and criminal liability for a person acting on behalf of an investigative agency having jurisdiction over the activities of a Part 2 program while providing other protections when other certain conditions are met.

After more than a year since the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) and Substance Abuse and Mental Health Services Administration (SAMHSA) issued the proposed changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations (known as "Part 2" of the "Part 2 Regulations") through a Notice of Proposed Rulemaking, these agencies have now finalized such rules to better harmonize the Part 2 Regulations with certain requirements under the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act.

In the midst of the COVID-19 pandemic, Congress passed Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which, in addition to providing relief during the public health emergency (PHE), amended the federal statute that establishes the protections for the confidentiality of SUD patient records. In addition, the HHS Secretary was charged with amending the Part 2 Regulations to align certain of its provisions with HIPAA and HITECH for purposes of reducing burden on providers and providing additional protections to Part 2 patients. The following is a summary of the significant changes to the Part 2 Regulations published on Feb. 16, 2024, as finalized by the Office of the National Coordinator for Health Information Technology (ONC) in coordination with SAMHSA.

Uses and Disclosures for Treatment, Payment and Healthcare Operations

A Part 2 program may use and disclose SUD records based on a single prior consent signed by the patient for all future uses and disclosures for treatment, payment and healthcare operations (TPO). Such consent must advise the patient regarding the potential for the records to be redisclosed and no longer be subject to protection under the Part 2 rules. In addition, the consent must advise the patient of the consequences for refusal to sign.

When a patient provides a single consent for all future uses and disclosures for TPO, a recipient who is a HIPAA-covered entity or business associate may use and disclose such SUD records as permitted by HIPAA until such time as the patient revokes the consent in writing. When SUD records are disclosed pursuant to a single consent for all future TPO activities to a Part 2 program that is not a covered entity or business associate, the Part 2 program may use and disclose such records in accordance with the consent. The Part 2 program, covered entity or business associate is still prohibited from using and disclosing the SUD records for civil, criminal, administrative and legislative proceedings against the patient.

When SUD records are disclosed for payment and healthcare operations activities to a lawful holder that is not a covered entity or business associate, the recipient may redisclose such records as may be necessary for its contractors, subcontractors or legal representatives to carry out the payment or healthcare operations specified in the consent. However, such lawful holders who wish to redisclose patient identifying information must have in place a written contract or comparable legal instrument with the contractor or voluntary legal representative, which provides that the contractor, subcontractor or voluntary legal representative is fully bound by the provisions of Part 2. In addition, a lawful holder must provide the recipient the required notice regarding the prohibition on redisclosures, require recipients to implement appropriate safeguards to prevent unauthorized uses and disclosure and require recipients to report any unauthorized uses, disclosures or breaches of patient identifying information to the lawful holder.

Breach Notification

The final rule incorporates HIPAA's breach notification rule into the Part 2 Regulations. Specifically, Part 2 programs are now required to comply with the HIPAA breach rule with respect to breaches of unsecured Part 2 records in the same manner as the breach rule applies to a covered entity with respect to breaches of unsecured protected health information. Unsecured Part 2 records mean any record that is not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology specified by the HHS Secretary in the guidance issued under Public Law 111-5, Section 13402(h)(2).

Notice of Privacy Practices

The final rule modifies the Part 2 patient confidentiality notice requirements to closely mirror the HIPAA notice of privacy practices (NPP) requirements. In addition to requiring a statement that a patient may provide a single consent for all future uses or disclosures for TPO, the notice must provide that records that are disclosed to a Part 2 program, covered entity or business associate with the patient's consent for TPO may be further disclosed by such entities without the patient's written consent to the extent the HIPAA regulations permit such disclosure. If a Part 2 program wishes to engage in fundraising activities, the notice must include a statement that the Part 2 program may use or disclose records to fundraise for the benefit for the program only if the patient is first provided a clear and conspicuous opportunity to elect not to receive fundraising communications.

Accounting of Disclosures

The final rule requires Part 2 programs to provide a patient, upon request, an accounting of all disclosures made with the patient's consent for the three years prior to the date of the request (or a shorter time period as chosen by the patient). The accounting of disclosures must meet certain requirements under the HIPAA Privacy Rule. An accounting for disclosures of records for TPO is required only where such disclosures are made through an electronic health record. The new accounting of disclosures requirement, however, will not go into effect until the HIPAA regulations are updated to address an accounting of disclosure through an electronic health record as required by the HITECH Act.

Right to Request Privacy Protection for Records

Similar to HIPAA, the final rule requires a Part 2 program to permit a patient to request that the program restrict uses and disclosures of the patient's SUD records to carry out TPO, including when the patient has signed written consent for such disclosures. However, a Part 2 program is not required to agree to a restriction unless the request is to restrict disclosure to a health plan where the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law and the record pertains solely to a healthcare item or service for which the patient, or a person other than the health plan on behalf of the patient, has paid the Part 2 program in full.

Penalties

The final rule makes HIPAA and HITECH Act civil and criminal penalties applicable to violations of the Part 2 Regulations. The final rule creates a safe harbor from civil and criminal liability for a person acting on behalf of an investigative agency having jurisdiction over the activities of a Part 2 program or other person holding SUD records for a use or disclosure of such records inconsistent with the Part 2 Regulations that occurs while acting within the scope of their employment in the course of the investigation or prosecuting a Part 2 program or person holding the record. Certain conditions must be satisfied in order for the safe harbor to be available.

Additional Considerations; Effective and Compliance Dates

In addition to the revisions to the Part 2 Regulations discussed above, the final rule also enhances the security and protection for SUD records, including the expansion of the prohibitions on the use and disclosure of such records in civil, criminal, administrative or legislative proceedings conducted by a federal, state or local authority against a patient, absent a court order or the consent of the patient.

The final rule becomes effective 60 days after it is published in the Federal Register (April 16, 2024) and, unless delayed, the proposed compliance date is 24 months after publication of the final rule, except for the accounting of disclosures for TPO through an electronic health record, which is delayed until similar revisions to the HIPAA regulations are finalized. In the interim, Part 2 programs, covered entities and business associates should review their consent and authorization forms, policies and procedures, including privacy notices, and implement or amend them as necessary to comply with the final rule. In addition, these entities should update their training materials and tools and have the staff trained on the new requirements. Part 2 programs will also need to become accustomed to the HIPAA breach notification requirements and establish breach response policies and procedures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.